ISkIN 1 Posted February 11, 2023 Share Posted February 11, 2023 Hello! I want to get a letsencrypt certificate for my emby server on windows. I want the certificate to be able to renew automatically without my participation and the need to restart the Emby server. I tried using Certbot and ran into a problem. When using the "--webroot" certificate acquisition method, it is necessary to grant access to the root path of the server, so I specified the path C:\Users\ISkIN\AppData\Roaming\Emby-Server\system\dashboard-ui where is it located index.html. The problem is that the program is trying to request a file at example.com/.well-known/acme-challenge /<...>, while in reality it is in example.com/web/.well-known/acme-challenge /<...>. Is there a way to override the root path of the Emby server? Or maybe there are other ways to get a certificate? I only need a method that does not require stopping my server, as in the case of the "--standalone" method Link to comment Share on other sites More sharing options...
Abobader 2947 Posted February 11, 2023 Share Posted February 11, 2023 Hello ISkIN, ** This is an auto reply ** Please wait for someone from staff support or our members to reply to you. It's recommended to provide more info, as it explain in this thread: Thank you. Emby Team Link to comment Share on other sites More sharing options...
Q-Droid 654 Posted February 11, 2023 Share Posted February 11, 2023 Regardless of the method you use to get the cert you will have to restart Emby. The certs are only loaded on startup. And if I read your post correctly the web root needed is certbot's, not Emby's. Certbot controls and validates the http endpoint. 1 Link to comment Share on other sites More sharing options...
Q-Droid 654 Posted February 11, 2023 Share Posted February 11, 2023 I want to clarify that what you're doing only works on well known http ports. The http-01 challenge only works on port 80 so for Emby to be involved it would also have to be reachable on via port 80. It's a security change made to prevent site spoofing and cert hijacking. Link to comment Share on other sites More sharing options...
jaycedk 389 Posted February 11, 2023 Share Posted February 11, 2023 You can install an reverse proxy to get around that. The cert is renewed by certbot within the reverse proxy, if it runs in a vm or docker. Just set Emby "Secure connection mode" to Handled by reverse proxy. With a reverse proxy you only need to open port 80 and 443 in your router. The reverse proxy will then " when setup correctly " redirect requests to Emby port 8096 or 8920. 1 Link to comment Share on other sites More sharing options...
ISkIN 1 Posted February 11, 2023 Author Share Posted February 11, 2023 Thanks for the help. My server is running on port 80 and is accessible through it, the only problem was that Emby provides access to server files through a path like "example.com/web /<file_in_root_folder>". This additional "/web" prevented access to the verification file, because letsencrypt requests the file at "example.com/<file_in_root_folder>" and it doesn't know that the root of the emby server is located at example.com/web/. In any case, if it still requires restarting the server to update the certificate, then I will use another method. Link to comment Share on other sites More sharing options...
jaycedk 389 Posted February 11, 2023 Share Posted February 11, 2023 With a reverse proxy Emby do's not need to be restartet. The cert. is served by the proxy. There are some really good guides in the emby forum in order to find out more 2 Link to comment Share on other sites More sharing options...
Solution Q-Droid 654 Posted February 11, 2023 Solution Share Posted February 11, 2023 I agree with the recommendation of a reverse proxy. On Windows it doesn't get any easier than Caddy which has the added benefit of automatic cert renewal. Pretty much everything you're looking for. 1 1 Link to comment Share on other sites More sharing options...
ISkIN 1 Posted February 11, 2023 Author Share Posted February 11, 2023 Thanks for the tips, I set up using Caddy, this is really the best solution. 1 Link to comment Share on other sites More sharing options...
pwhodges 1534 Posted February 11, 2023 Share Posted February 11, 2023 (edited) Caddy is not limited to Windows - just saying... (this comment is not for this case, but for other users who might misread Q_Droid's post). Paul Edited February 12, 2023 by pwhodges Link to comment Share on other sites More sharing options...
Adamwcameron 1 Posted April 25 Share Posted April 25 How/when does the automatic renewal take place with Caddy and how can I confirm my certificate was renewed? I set up Caddy and have been using it for a couple months but just got an upcoming expiration notice email from LetsEncrypt for the first time. I wasn't sure if this is normal to receive the email each time the renewal is approaching and it will take place before the expiration or if I missed something in my setup and will still expire without renewing. I'm new to all this SSL stuff so not sure how to confirm if it's already renewed and I'm good to go. Link to comment Share on other sites More sharing options...
pwhodges 1534 Posted April 25 Share Posted April 25 If you got an expiration notice for a certificate that Caddy is handling, something's wrong; Caddy starts trying to renew at about half the lifetime of the cert. The easiest way to check the cert is to go to the site in a browser and click the padlock - this should enable you to see the expiry date of the cert. Have you ensured that port 80 remains open through your firewall? Even though (by default) all connections are redirected to 443, port 80 is used in the default certificate checking. Paul 1 Link to comment Share on other sites More sharing options...
rbjtech 4289 Posted April 26 Share Posted April 26 (edited) Sorry - just repeated what Paul wrote .. Edited April 26 by rbjtech Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now